-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathshield-agent.example.yaml
More file actions
84 lines (70 loc) · 2.62 KB
/
shield-agent.example.yaml
File metadata and controls
84 lines (70 loc) · 2.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# shield-agent example configuration
# Copy this file to shield-agent.yaml and adjust values as needed.
# All values shown here are the defaults.
#
# Environment variable overrides use the SHIELD_AGENT_ prefix, e.g.:
# SHIELD_AGENT_LOG_LEVEL=debug
# SHIELD_AGENT_SECURITY_MODE=closed
server:
# Address for the monitoring HTTP server (/healthz, /metrics).
monitor_addr: "127.0.0.1:9090"
# TLS certificate and key files. When both are set, the proxy listens over HTTPS.
# tls_cert: "/path/to/cert.pem"
# tls_key: "/path/to/key.pem"
# CORS allowed origins. Use ["*"] to allow all origins (default).
# Set to specific origins to restrict access, e.g.:
# cors_allowed_origins:
# - "https://myapp.example.com"
cors_allowed_origins:
- "*"
security:
# Mode controls what happens when authentication fails.
# open — log a warning but allow the request through (observation mode)
# closed — reject requests that fail authentication
mode: "open"
# Path to the YAML file containing allowed agent public keys.
key_store_path: "keys.yaml"
logging:
# Log verbosity level: debug | info | warn | error
level: "info"
# Log output format: json | text
format: "json"
telemetry:
# Set to true to send anonymous usage statistics.
# No message content is ever collected.
enabled: false
# URL of the telemetry ingestion endpoint.
endpoint: "http://localhost:8080"
# How often (in seconds) to flush the local telemetry buffer.
batch_interval: 60
# Differential privacy epsilon parameter (higher = less noise, lower = more privacy).
epsilon: 1.0
storage:
# Path to the SQLite database used to store action logs.
db_path: "shield-agent.db"
# Number of days to retain log records before automatic deletion.
retention_days: 30
# Middleware pipeline configuration.
# Middlewares run in the order listed. Omitting this section uses the defaults (auth, guard, then log).
middlewares:
- name: auth
enabled: true
- name: guard
enabled: true
config:
# Maximum requests per minute per JSON-RPC method (0 = unlimited).
rate_limit_per_min: 0
# Maximum request body size in bytes (0 = unlimited).
max_body_size: 0
# List of CIDR ranges or IPs to block outright.
# ip_blocklist:
# - "203.0.113.0/24"
# List of CIDR ranges or IPs to allow (empty = allow all).
# ip_allowlist:
# - "10.0.0.0/8"
# Brute force protection: auto-block after N consecutive failures (0 = disabled).
# brute_force_max_fails: 5
# Validate JSON-RPC structure (reject malformed payloads).
# validate_jsonrpc: true
- name: log
enabled: true